> Hello, > > Does anybody has any experience with generating a certificate from a > certificate request, by signing it with an nCipher HSM (the CA key being > stored on the HSM), through the nCore API? > I am specifically interested by the actual data stream that I need to > provide to the HSM for it to sign. > The mechanism that I intend to use for signing is SHA1 - RSA. > > Thank you in advance for your help! > > -- > Silviu Vlasceanu >
I tried and failed with the API. I ended up using openssl, with the following invocation.. /opt/nfast/bin/preload --preload-file=/opt/nfast/preload/preloadfile --name-exact=rsa-<keyname> openssl ca -batch -cert <the signing cert.pem> -engine chil -keyform engine -keyfile rsa-<keyname> -extensions <your extensions name> -in <your cert request.pem> -out <your certfilename.pem> -config ./sign.cnf I don't think (but I may be wrong) that the nCipher HSM will turn your cert request into a well formed cert. It will just sign the formed cert. You still need openssl or something similar to parse the request and make a cert. If you find out how to sign directly through the API, I'd love to know. There's a ~300ms setup/teardown cost using openssl to drive the HSM, since it is essentially one cert per session. The API hypothetically lets you operate much faster, but I could never get it work. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
